VPN的种类有:L2TP、PPTP等
如标题,本文主要讲L2TP这一类的VPN服务器搭建
那么现在开始吧!!!
- 安装openswan,配置IPSEC
- 安装xl2tpd
root@Toka:~# 旧版本的Debian可以直接在线安装
root@Toka:~# apt-get install openswan
root@Toka:~# 新版本的Debian软件源包里已经不包含openswan了,所以只以源码编译安装!!
root@Toka:~# 安装openswan必需库
root@Toka:~# apt-get install libgmp3-dev
root@Toka:~# apt-get install gawk mawk flex bison
root@Toka:~# apt-get install iproute2
root@Toka:~# 安装多线程下载工具
root@Toka:~# apt-get install axel
root@Toka:~# 用多线程axel下载器来下载openswan源码
root@Toka:~# axel https://download.openswan.org/openswan/openswan-2.6.49.1.tar.gz
root@Toka:~# 解压并安装
root@Toka:~# tar -zxvf openswan-2.6.49.1.tar.gz
root@Toka:~# cd openswan-2.6.49.1/
root@Toka:~# make programs
root@Toka:~# make install
root@Toka:~# 安装完成,查看下是否安装成功
root@Toka:~# ipsec --version
Linux Openswan U2.6.49.1/K(no kernel code presently loaded)
See `ipsec --copyright' for copyright information.
root@Toka:~# 已经安装成功,接下来启动ipsec
root@Toka:~# service ipsec start
Failed to start ipsec.service: Unit ipsec.service not found.
root@Toka:~# 以上提示没有ipsec服务,所以只有用绝对路径来启动
root@Toka:~# /etc/init.d/ipsec start
<27>Oct 14 17:31:51 ipsec_setup: Starting Openswan IPsec U2.6.49.1/K4.9.0-3-amd64...
root@Toka:~# 启动成功
至些成功安装了,接下来更新IP转发
root@Toka:~# 先备份原有文件
root@Toka:~# cp /etc/sysctl.conf /etc/sysctl.conf.yl
root@Toka:~# 配置IP转发
root@Toka:~# echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
root@Toka:~# echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
root@Toka:~# echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
root@Toka:~# echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
root@Toka:~# echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
root@Toka:~# echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
root@Toka:~# echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf
root@Toka:~# for vpn in /proc/sys/net/ipv4/conf/*;
> do
> echo 0 > $vpn/accept_redirects;
> echo 0 > $vpn/send_redirects;
> done
root@Toka:~# IP转发完成
接下来设置IP table
这里请各位注意,不配IP table,VPN服务器安装好连接上去后,客户面是上不了网的!!!
root@Toka:~# iptables -t nat -A POSTROUTING -s 172.16.1.1/24 -o eth0 -j MASQUERADE
配置IPSEC
root@Toka:~# 先备份原来的配置文件
root@Toka:~# cp /etc/ipsec.conf /etc/ipsec.conf.yl
root@Toka:~# MYIP=`/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d "addr:"`
root@Toka:~# echo $MYIP
122.114.228.217 10.122.228.217
root@Toka:~# 上面MYIP出现双IP,所以还是手动设置为正确的IP,如果'echo $MYIP'只出现一个IP4,那就正确
root@Toka:~# MYIP='122.114.228.217'
root@Toka:~# 好了,变量MYIP设置完成,接下来直接生成ipsec.conf配置文件
root@Toka:~# cat >/etc/ipsec.conf << EOF
>version 2 # conforms to second version of ipsec.conf specification
>
> config setup
> dumpdir=/var/run/pluto/
> #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
>
> nat_traversal=yes
> #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
>
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
> #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
>
> protostack=netkey
> #decide which protocol stack is going to be used.
>
> force_keepalive=yes
> keep_alive=60
> # Send a keep-alive packet every 60 seconds.
>
> conn L2TP-PSK-noNAT
> authby=secret
> #shared secret. Use rsasig for certificates.
>
> pfs=no
> #Disable pfs
>
> auto=add
> #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
>
> keyingtries=3
> #Only negotiate a conn. 3 times.
>
> ikelifetime=8h
> keylife=1h
>
> ike=aes256-sha1,aes128-sha1,3des-sha1
> phase2alg=aes256-sha1,aes128-sha1,3des-sha1
> # https://lists.openswan.org/pipermail/users/2014-April/022947.html
> # specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.
>
> type=transport
> #because we use l2tp as tunnel protocol
>
> left=$MYIP
> leftnexthop=$MYIP
> #fill in server IP above
>
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/%any
>
> dpddelay=10
> # Dead Peer Dectection (RFC 3706) keepalives delay
> dpdtimeout=20
> # length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
> dpdaction=clear
> # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
> EOF
root@Toka:~#
接下来配置IPSEC连接的公钥
root@Toka:~# 注意,这里把公钥配置为“toka.pro”
root@Toka:~# cat >/etc/ipsec.secrets << EOF
> $MYIP %any: PSK "toka.pro"
> EOF
root@Toka:~# 接下来重启下服务
root@Toka:~# /etc/init.d/ipsec restart
<27>Jul 30 23:11:35 ipsec_setup: Stopping Openswan IPsec...
<27>Jul 30 23:11:37 ipsec_setup: Starting Openswan IPsec U2.6.49.1/K4.9.0-3-amd64...
root@Toka:~# 再认证下,如果出现如下,刚全部ipsec配置正确!!!
root@Toka:~# ipsec verify
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U2.6.49.1/K4.9.0-3-amd64 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
ipsec verify: encountered errors
root@Toka:~# ipsec安装配置完成
安装并配置xl2tpd ppp lsof
root@Toka:~# apt-get install xl2tpd ppp lsof
root@Toka:~# 配置xl2tpd,先备份原来的配置文件
root@Toka:~# cp /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.yl
root@Toka:~# cat >/etc/xl2tpd/xl2tpd.conf << EOF
> [global]
> ipsec saref = yes
> saref refinfo = 30
>
> ;debug avp = yes
> ;debug network = yes
> ;debug state = yes
> ;debug tunnel = yes
>
> [lns default]
> ip range = 172.16.1.30-172.16.1.100
> local ip = 172.16.1.1
> refuse pap = yes
> require authentication = yes
> ;ppp debug = yes
> pppoptfile = /etc/ppp/options.xl2tpd
> length bit = yes
> EOF
root@Toka:~# 配置PPP
root@Toka:~# cat >/etc/ppp/options.xl2tpd << EOF
> require-mschap-v2
> ms-dns 119.29.29.29
> ms-dns 4.2.2.1
> auth
> mtu 1000
> mru 1000
> crtscts
> hide-password
> modem
> name l2tpd
> proxyarp
> lcp-echo-interval 0
> lcp-echo-failure 0
> EOF
root@Toka:~# 添加VPN账户和密码
root@Toka:~# cat >/etc/ppp/chap-secrets << EOF
> # Secrets for authentication using CHAP
> # client server secret IP addresses
> # 账号 服务类型 密码 IP
> toka l2tpd toka.pro *
> EOF
root@Toka:~# 请记住上面设置了VPN的账号为toka,密码为toka.pro,客户端连接时请不要输错
root@Toka:~# 至此全部VPN服务器安装配置完成,重启所有服务,然后就可以用客户端连接上了!!
root@Toka:~# /etc/init.d/ipsec restart
root@Toka:~# /etc/init.d/xl2tpd restart
大功告成!!至此你需要注意以下三点:
1.客户端连接时所选择的VPN类型为:使用预共享密钥的 L2TP/IPsec
2.连接时填入服务器地址IP不能错,预共享密钥为上面配置的toka.net,账号toka,密码toka.pro
3.服务器所在地,最好在国外,因为在国内的服务器也一样的被封锁了访问外国!!!